拓撲圖:
說明:圖中的路由器均由防火牆代替。
需求分析:
通過建立ipsec的隧道,實現北京總部和上海分公司以及鄭州分公司的內網的互相訪問,並對傳輸的數據進行加密,保證通信的安全性。
實驗步驟
一:北京總部的配置
F1
[F1]dis cu
ike local-name f1
#
firewall packet-filter enable 開啓包過濾的功能
firewall packet-filter default permit 默認的爲允許
#
ike peer peer1 指定peer的 對等體
exchange-mode aggressive 配置ipsec 爲野蠻模式
pre-shared-key 123456 配置預共享的密鑰
id-type name 配置爲名字的方式
remote-name f2
#
ike peer peer2指定peer的 對等體
exchange-mode aggressive配置ipsec 爲野蠻模式
pre-shared-key 654321 配置預共享的密
id-type name配置爲名字的方式
remote-name f3
#
ipsec proposal tran1 安全提議tran1
#
ipsec proposal tran2 安全提議tran2
#
ipsec policy policy1 10 isakmp 安全策略
security acl 3000 引用acl規則
ike-peer peer1 指定ike的對等體
proposal tran1引用協商
#
ipsec policy policy1 20 isakmp安全策略
security acl 3001引用acl規則
ike-peer peer2指定ike的對等體
proposal tran2引用協商
#
acl number 3000
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 1 deny ip
acl number 3001
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 1 deny ip
#
interface Ethernet0/0
ip address 192.168.1.254 255.255.255.0
#
interface Ethernet0/3
ip address 202.196.10.100 255.255.255.0
ipsec policy policy1 在接口上應用相應的規則
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/3
add interface Ethernet0/4
set priority 85
ip route-static 0.0.0.0 0.0.0.0 202.196.10.1 preference 60 默認的路由
[F1]dis ipsec proposal 查看安全提議
IPsec proposal name: tran2
encapsulation mode: tunnel
transform: esp-new
ESP protocol: authentication md5-hmac-96, encryption des
IPsec proposal name: tran1
encapsulation mode: tunnel
transform: esp-new
ESP protocol: authentication md5-hmac-96, encryption des
[F1]dis ipsec tunnel 查看隧道的信息
------------------------------------------------
Connection ID : 3
Perfect forward secrecy: None
SA's SPI :
Inbound : 855708328 (0x330112a8) [ESP]
Outbound : 3269242184 (0xc2dcad48) [ESP]
Tunnel :
Local Address: 202.196.10.100 Remote Address : 202.196.20.2
Flow : (26 times matched)
Sour Addr : 192.168.1.0/255.255.255.0 Port: 0 Protocol : IP
Dest Addr : 192.168.2.0/255.255.255.0 Port: 0 Protocol : IP
------------------------------------------------
Connection ID : 4
Perfect forward secrecy: None
SA's SPI :
Inbound : 796132552 (0x2f7404c8) [ESP]
Outbound : 2229133607 (0x84dde127) [ESP]
Tunnel :
Local Address: 202.196.10.100 Remote Address : 202.196.30.2
Flow : (22 times matched)
Sour Addr : 192.168.1.0/255.255.255.0 Port: 0 Protocol : IP
Dest Addr : 192.168.3.0/255.255.255.0 Port: 0 Protocol : IP
##################################
二:上海分公司的配置
FR2
[F2]dis cu
#
sysname F2
#
ike local-name f2
#
firewall packet-filter enable
firewall packet-filter default permit
#
domain system
#
ike peer peer1
exchange-mode aggressive
pre-shared-key 123456
id-type name
remote-name f1
remote-address 202.196.10.100 需要指定遠程的ip地址
#
ipsec proposal tran1
#
ipsec policy policy1 10 isakmp
security acl 3000
ike-peer peer1
proposal tran1
#
acl number 3000
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 1 deny ip
#
interface Ethernet0/0
ip address 192.168.2.254 255.255.255.0
#
interface Ethernet0/3
ip address dhcp-alloc
ipsec policy policy1
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/3
add interface Ethernet0/4
set priority 85
ip route-static 0.0.0.0 0.0.0.0 202.196.20.1 preference 60
[F2] dis ip
[F2] dis ipsec proposal
IPsec安全提議名稱: tran1
封裝模式: 隧道模式
轉換方式: esp-new
ESP協議: 驗證 md5-hmac-96, des算法加密
[F2] dis ipsec policy
===========================================
安全策略組: "policy1"
接口: {Ethernet0/3}
===========================================
-----------------------------
安全策略庫: "policy1"
序列號: 10
模式: isakmp
-----------------------------
保護的數據流: 3000
數據流保護方式: 標準
IKE網關: peer1
完善的前向安全性(PFS) : None
安全提議名稱: tran1
安全聯盟的生存週期: 3600 秒
安全聯盟的生存週期: 1843200 千字節
[F2] dis ipsec tunnel
------------------------------------------------
Ipsec 隧道的連接號 : 3
前向安全特性: None
SA的SPI :
入方向 : 3269242184 (0xc2dcad48) [ESP]
出方向 : 855708328 (0x330112a8) [ESP]
隧道 :
本地地址: 202.196.20.2 對端地址 : 202.196.10.100
傳輸流 : (匹配了22次)
源端地址: 192.168.2.0/255.255.255.0 源端端口號: 0 協議: IP
目的地址: 192.168.1.0/255.255.255.0 目的端口號: 0 協議: IP
[F2]
三:鄭州分公司的配置
Fr3
[F3]dis cu
#
sysname F3
#
ike local-name f3
#
firewall packet-filter enable
firewall packet-filter default permit
#
ike peer peer2
exchange-mode aggressive
pre-shared-key 654321
id-type name
remote-name f1
remote-address 202.196.10.100 需要指定遠端的ip地址
#
ipsec proposal tran2
#
ipsec policy policy1 20 isakmp
security acl 3001
ike-peer peer2
proposal tran2
#
acl number 3001
rule 0 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 1 deny ip
interface Ethernet0/0
ip address 192.168.3.254 255.255.255.0
#
interface Ethernet0/3
ip address dhcp-alloc
ipsec policy policy1
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/3
add interface Ethernet0/4
set priority 85
#
ip route-static 0.0.0.0 0.0.0.0 202.196.30.1 preference 60
#
[F3]dis ipsec policy
===========================================
IPsec Policy Group: "policy1"
Using interface: {Ethernet0/3}
===========================================
-----------------------------
IPsec policy name: "policy1"
sequence number: 20
mode: isakmp
-----------------------------
security data flow : 3001
selector mode: standard
ike-peer name: peer2
perfect forward secrecy: None
proposal name: tran2
IPsec sa local duration(time based): 3600 seconds
IPsec sa local duration(traffic based): 1843200 kilobytes
[F3]dis ipsec proposal
IPsec proposal name: tran2
encapsulation mode: tunnel
transform: esp-new
ESP protocol: authentication md5-hmac-96, encryption des
[F3]dis ipsec tunnel
------------------------------------------------
Connection ID : 3
Perfect forward secrecy: None
SA's SPI :
Inbound : 2229133607 (0x84dde127) [ESP]
Outbound : 796132552 (0x2f7404c8) [ESP]
Tunnel :
Local Address: 202.196.30.2 Remote Address : 202.196.10.100
Flow : (14 times matched)
Sour Addr : 192.168.3.0/255.255.255.0 Port: 0 Protocol : IP
Dest Addr : 192.168.1.0/255.255.255.0 Port: 0 Protocol : IP
[F3]dis ipsec tunnel
------------------------------------------------
Connection ID : 3
Perfect forward secrecy: None
SA's SPI :
Inbound : 2229133607 (0x84dde127) [ESP]
Outbound : 796132552 (0x2f7404c8) [ESP]
Tunnel :
Local Address: 202.196.30.2 Remote Address : 202.196.10.100
Flow : (14 times matched)
Sour Addr : 192.168.3.0/255.255.255.0 Port: 0 Protocol : IP
Dest Addr : 192.168.1.0/255.255.255.0 Port: 0 Protocol : IP
[F3]
四:網絡中的3層SW的配置
[SW13]dis cu
sysname SW13
dhcp server ip-pool shanghai
network 202.196.20.0 mask 255.255.255.0
#
dhcp server ip-pool zhengzhou
network 202.196.30.0 mask 255.255.255.0
#
vlan 1
#
vlan 10
#
vlan 20
#
vlan 30
#
interface Vlan-interface1
ip address 192.168.100.33 255.255.255.0
#
interface Vlan-interface10
ip address 202.196.10.1 255.255.255.0
#
interface Vlan-interface20
ip address 202.196.20.1 255.255.255.0
#
interface Vlan-interface30
ip address 202.196.30.1 255.255.255.0
interface Ethernet0/6
port access vlan 10
interface Ethernet0/12
port access vlan 20
#
interface Ethernet0/18
port access vlan 30
#
i
#
dhcp server forbidden-ip 202.196.20.1
dhcp server forbidden-ip 202.196.30.1
#
[SW13]dis dhcp server ip-in-use all 查看dhcp服務器的狀態
Global pool:
IP address Hardware address Lease expiration Type
202.196.20.2 3ce5-a67f-374b Mar 29 2012 18:31:43 PM Auto:COMMITTED
202.196.30.2 3ce5-a6ce-1895 Mar 29 2012 19:52:32 PM Auto:COMMITTED
五:測試:
北京到上海分公司
北京到鄭州分公司